In March 2022, threat actors took advantage of the conflict in Ukraine to push their agenda.
A group called Ember Bear was behind the new malware dubbed Whispergate, which targeted Ukrainian government agencies. HermeticWiper is another wiper also used by threat actors in Ukraine. This data-wiping malware impacted hundreds of computers on their networks across Ukraine. We also saw a new variant of LokiLocker, a ransomware-as-a-service (RaaS) family with possible origins in Iran. That malware was updated with a built-in wiper to erase all non-system files from infected Windows PCs.
Also in March, TA416, a threat actor linked to the Chinese government, increased its campaigns against European governments. TA416 updated the payload of its PlugX malware with the PotPlayerDB.dat variant that used an updated encoding method and featured additional payload configuration capabilities. That malware used web bugs to profile the targets. The tracking pixels embedded a hyperlinked, non-visible object in the email body. Once enabled, the object retrieved a benign image file from the actor-controlled server to verify the validity of the targeted account. The malware leveraged the vulnerability of potplayermini.exe to load the file PotPlayer.dll, which contained an obfuscated launcher that, in turn, executed the file PotPlayerDB.dat. The DocConvDll.dll file was also used as a loader of the PlugX DAT configuration files, similar to the Trident Loader method, which TA416 used in previous campaigns to install PlugX.
Furthermore, this version also contained obfuscation to avoid detection by resolving API functions during runtime. Most functions containing the malware's "business logic" were obfuscated with a state machine by maintaining a state variable with many comparisons in the function. This made analysis difficult as the states are not hardcoded as the result of a function.
Another notorious state-sponsored Chinese threat group, PT41, was targeting North American state governments. The threat actors are known to use malicious ViewStates to trigger code execution against targeted web applications. ViewState is a method for storing the application's page and control values in HTTP requests to and from the server in the ASP.NET framework. It was sent to the server with each HTTP request as a Base64 encoded string in a hidden form field. The web server decodes the string and applies additional transformations for unpacking it into data structures for the server to use. To prevent manipulation, the ViewState is protected by a Message Authentication Code (MAC) to keep the application's machineKey confidential.
In our previous wrap-up of the month, we covered the cyberattack that hit US chipmaker, Nvidia Corp. In March, Lapsus$, the threat actors behind the cyberattack, leaked an Nvidia code-signing certificate that expired in 2014. Code signed with this certificate could still be accepted by Windows. The threat actors seem to blackmail Nvidia into removing Lite Hash Rate (LHR), which cripples cryptocurrency mining, from its GPU firmware. Lapsus$ announced on its Telegram page that it will leak more internal materials and details of chip blueprints unless LHR is removed and Nvidia will open-source its drivers for Macs, Linux, and Windows PCs.
To find out if your organization is protected against the latest malware attacks, run Cymulate’s Immediate Threats assessment. This allows you to test and verify by yourself if your organization is exposed to these attacks. It also offers suggestions for mitigations in case it turns out that your organization is indeed vulnerable. Also, IOCs are available at the Cymulate UI!
Stay cyber safe!
Eyal is the VP of Customer Success at Cymulate. During the last 15 years Eyal performed in a number of critical roles in the information and cyber security fields, providing services for global organizations in a wide range of sectors.